Blame SOURCES/rsyslog-8.2102.0-nsd_ossl-better-logs.patch

537b07
diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
537b07
index e55b014b2c..431ea738b8 100644
537b07
--- a/runtime/nsd_ossl.c
537b07
+++ b/runtime/nsd_ossl.c
537b07
@@ -210,7 +210,8 @@ void osslLastSSLErrorMsg(int ret, SSL *ssl, int severity, const char* pszCallSou
537b07
 
537b07
 	/* Loop through ERR_get_error */
537b07
 	while ((un_error = ERR_get_error()) > 0){
537b07
-		LogMsg(0, RS_RET_NO_ERRCODE, severity, "OpenSSL Error Stack: %s", ERR_error_string(un_error, NULL) );
537b07
+		LogMsg(0, RS_RET_NO_ERRCODE, severity,
537b07
+			"nsd_ossl:OpenSSL Error Stack: %s", ERR_error_string(un_error, NULL) );
537b07
 	}
537b07
 }
537b07
 
537b07
@@ -721,9 +722,10 @@ osslChkPeerFingerprint(nsd_ossl_t *pThis, X509 *pCert)
537b07
 		if(pThis->bReportAuthErr == 1) {
537b07
 			errno = 0;
537b07
 			LogError(0, RS_RET_INVALID_FINGERPRINT,
537b07
-			"nsd_ossl:error:"
537b07
-			" peer fingerprint '%s' unknown - we are "
537b07
-			"not permitted to talk to it", cstrGetSzStrNoNULL(pstrFingerprint));
537b07
+				"nsd_ossl:error: peer fingerprint '%s' unknown - we are "
537b07
+				"not permitted to talk to it", cstrGetSzStrNoNULL(pstrFingerprint));
537b07
+			LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
537b07
+				"nsd_ossl:TLS session terminated with remote syslog server.");
537b07
 			pThis->bReportAuthErr = 0;
537b07
 		}
537b07
 		ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT);
537b07
@@ -834,8 +836,10 @@ osslChkPeerName(nsd_ossl_t *pThis, X509 *pCert)
537b07
 			cstrFinalize(pStr);
537b07
 			errno = 0;
537b07
 			LogError(0, RS_RET_INVALID_FINGERPRINT, "nsd_ossl:error: peer name not authorized -  "
537b07
-					"not permitted to talk to it. Names: %s",
537b07
-					cstrGetSzStrNoNULL(pStr));
537b07
+				"not permitted to talk to it. Names: %s",
537b07
+				cstrGetSzStrNoNULL(pStr));
537b07
+			LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
537b07
+				"nsd_ossl:TLS session terminated with remote syslog server.");
537b07
 			pThis->bReportAuthErr = 0;
537b07
 		}
537b07
 		ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT);
537b07
@@ -871,8 +875,10 @@ osslChkPeerID(nsd_ossl_t *pThis)
537b07
 		if(pThis->bReportAuthErr == 1) {
537b07
 			errno = 0;
537b07
 			LogError(0, RS_RET_TLS_NO_CERT, "nsd_ossl:error: peer did not provide a certificate, "
537b07
-					"not permitted to talk to it");
537b07
+				"not permitted to talk to it");
537b07
 			pThis->bReportAuthErr = 0;
537b07
+			LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
537b07
+				"nsd_ossl:TLS session terminated with remote syslog server.");
537b07
 		}
537b07
 		ABORT_FINALIZE(RS_RET_TLS_NO_CERT);
537b07
 	}
537b07
@@ -905,15 +911,19 @@ osslChkPeerCertValidity(nsd_ossl_t *pThis)
537b07
 		if (iVerErr == X509_V_ERR_CERT_HAS_EXPIRED) {
537b07
 			if (pThis->permitExpiredCerts == OSSL_EXPIRED_DENY) {
537b07
 				LogError(0, RS_RET_CERT_EXPIRED,
537b07
-					"nsd_ossl:CertValidity check"
537b07
-"- not permitted to talk to peer: certificate expired: %s",
537b07
+					"nsd_ossl:CertValidity check - not permitted to talk to peer: "
537b07
+					"certificate expired: %s",
537b07
 					X509_verify_cert_error_string(iVerErr));
537b07
+				LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
537b07
+					"nsd_ossl:TLS session terminated with remote syslog server.");
537b07
 				ABORT_FINALIZE(RS_RET_CERT_EXPIRED);
537b07
 			} else if (pThis->permitExpiredCerts == OSSL_EXPIRED_WARN) {
537b07
 				LogMsg(0, RS_RET_NO_ERRCODE, LOG_WARNING,
537b07
-					"nsd_ossl:CertValidity check"
537b07
-"- warning talking to peer: certificate expired: %s",
537b07
+					"nsd_ossl:CertValidity check - warning talking to peer: "
537b07
+					"certificate expired: %s",
537b07
 					X509_verify_cert_error_string(iVerErr));
537b07
+				LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
537b07
+					"nsd_ossl:TLS session terminated with remote syslog server.");
537b07
 			} else {
537b07
 				dbgprintf("osslChkPeerCertValidity: talking to peer: certificate expired: %s\n",
537b07
 					X509_verify_cert_error_string(iVerErr));
537b07
@@ -921,6 +931,8 @@ osslChkPeerCertValidity(nsd_ossl_t *pThis)
537b07
 		} else {
537b07
 			LogError(0, RS_RET_CERT_INVALID, "nsd_ossl:not permitted to talk to peer: "
537b07
 				"certificate validation failed: %s", X509_verify_cert_error_string(iVerErr));
537b07
+			LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
537b07
+				"nsd_ossl:TLS session terminated with remote syslog server.");
537b07
 			ABORT_FINALIZE(RS_RET_CERT_INVALID);
537b07
 		}
537b07
 	} else {
537b07
@@ -1384,7 +1396,7 @@ osslPostHandshakeCheck(nsd_ossl_t *pNsd)
537b07
 	#if OPENSSL_VERSION_NUMBER >= 0x10002000L
537b07
 	if(SSL_get_shared_curve(pNsd->ssl, -1) == 0) {
537b07
 		LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:"
537b07
-"No shared curve between syslog client and server.");
537b07
+		"No shared curve between syslog client and server.");
537b07
 	}
537b07
 	#endif
537b07
 	sslCipher = (const SSL_CIPHER*) SSL_get_current_cipher(pNsd->ssl);
537b07
@@ -1446,8 +1458,6 @@ osslHandshakeCheck(nsd_ossl_t *pNsd)
537b07
 				resErr == SSL_ERROR_WANT_WRITE) {
537b07
 				pNsd->rtryCall = osslRtry_handshake;
537b07
 				pNsd->rtryOsslErr = resErr; /* Store SSL ErrorCode into*/
537b07
-				LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:"
537b07
-"TLS handshake failed between syslog client and server.");
537b07
 				dbgprintf("osslHandshakeCheck: OpenSSL Client handshake does not complete "
537b07
 					"immediately - setting to retry (this is OK and normal)\n");
537b07
 				FINALIZE;
537b07
@@ -1458,6 +1468,8 @@ osslHandshakeCheck(nsd_ossl_t *pNsd)
537b07
 				ABORT_FINALIZE(RS_RET_NO_ERRCODE /*RS_RET_RETRY*/);
537b07
 			} else {
537b07
 				osslLastSSLErrorMsg(res, pNsd->ssl, LOG_ERR, "osslHandshakeCheck Client");
537b07
+				LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
537b07
+					"nsd_ossl:TLS session terminated with remote syslog server.");
537b07
 				ABORT_FINALIZE(RS_RET_NO_ERRCODE);
537b07
 			}
537b07
 		}
537b07
@@ -1738,8 +1750,8 @@ Connect(nsd_t *pNsd, int family, uchar *port, uchar *host, char *device)
537b07
 	conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
537b07
 	dbgprintf("Connect: Init conn BIO[%p] done\n", (void *)conn);
537b07
 
537b07
-	LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl:"
537b07
-"TLS Connection initiated with remote syslog server.");
537b07
+	LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: "
537b07
+		"TLS Connection initiated with remote syslog server.");
537b07
 	/*if we reach this point we are in tls mode */
537b07
 	DBGPRINTF("Connect: TLS Mode\n");
537b07
 	if(!(pThis->ssl = SSL_new(ctx))) {